Effect: The effect can be
Allow or Deny. By default, IAM users
don't have permission to use resources and API actions, so all requests
are denied. An explicit allow overrides the default. An explicit deny
overrides any allows.

Action: The action is the
specific API action for which you are granting or denying permission. To
learn about specifying action, see Actions for Amazon EC2.

Resource: The resource that's affected by the
action. Some Amazon EC2 API actions allow you to include specific resources
in your policy that can be created or modified by the action. To specify
a resource in the statement, you need to use its Amazon Resource Name
(ARN). For more information about specifying the ARN value, see Amazon Resource Names for Amazon EC2. For more
information about which API actions support which ARNs, see Supported Resource-Level Permissions for Amazon EC2 API Actions. If the API
action does not support ARNs, use the * wildcard to specify that all
resources can be affected by the action.

Condition: Conditions are optional. They can be
used to control when your policy is in effect. For more information
about specifying conditions for Amazon EC2, see Condition Keys for Amazon EC2.

Actions for Amazon EC2

In an IAM policy statement, you can specify any API action from any service
that supports IAM. For Amazon EC2, use the following prefix with the name of
the
API action: ec2:. For example: ec2:RunInstances and
ec2:CreateImage.

To specify multiple actions in a single statement, separate them with commas
as follows:

"Action": ["ec2:action1", "ec2:action2"]

You can also specify multiple actions using wildcards. For example, you can
specify all actions whose name begins with the word "Describe" as
follows:

"Action": "ec2:Describe*"

To specify all Amazon EC2 API actions, use the * wildcard as follows:

"Action": "ec2:*"

For a list of Amazon EC2 actions, see Actions in the Amazon EC2 API Reference.

Amazon Resource Names for Amazon EC2

Each IAM policy statement applies to the resources that you specify using
their ARNs.

Important

Currently, not all API actions support individual ARNs. We'll add support for additional
API actions and ARNs for additional Amazon EC2 resources later. For information
about which ARNs you can use with which Amazon EC2 API actions, as well as
supported condition keys for each ARN, see Supported Resource-Level Permissions for Amazon EC2 API Actions.

An ARN has the following general syntax:

arn:aws:[service]:[region]:[account]:resourceType/resourcePath

service

The service (for example, ec2).

region

The region for the resource (for example,
us-east-1).

account

The AWS account ID, with no hyphens (for example,
123456789012).

resourceType

The type of resource (for example, instance).

resourcePath

A path that identifies the resource. You can use the * wildcard in
your paths.

For example, you can indicate a specific instance
(i-1234567890abcdef0) in your statement using its ARN as
follows:

Many Amazon EC2 API actions involve multiple resources. For example, AttachVolume
attaches an Amazon EBS volume to an instance, so an IAM user must have permissions
to use the volume and the instance. To specify multiple resources in a single
statement, separate their ARNs with commas, as follows:

Condition Keys for Amazon EC2

In a policy statement, you can optionally specify conditions that control when it
is in
effect. Each condition contains one or more key-value pairs. Condition keys are
not case-sensitive. We've defined AWS-wide condition keys, plus additional
service-specific condition keys.

If you specify multiple conditions, or multiple keys in a single condition, we evaluate
them using a logical AND operation. If you specify a single condition with
multiple values for one key, we evaluate the condition using a logical OR
operation. For permissions to be granted, all conditions must be met.

You can also use placeholders when you specify conditions. For example, you
can grant an IAM user permission to use resources with a tag that specifies
his or her IAM user name. For more information, see Policy Variables in the
IAM User Guide.

Important

Many condition keys are specific to a resource, and some API actions use
multiple resources. If you write a policy with a condition key, use the
Resource element of the statement to specify the resource
to which the condition key applies. If not, the policy may prevent users
from performing the action at all, because the condition check fails for the
resources to which the condition key does not apply. If you do not want to
specify a resource, or if you've written the Action element of
your policy to include multiple API actions, then you must use the
...IfExists condition type to ensure that the condition key
is ignored for resources that do not use it. For more information, see
...IfExists Conditions in the
IAM User Guide.

Checking That Users Have the Required
Permissions

After you've created an IAM policy, we recommend that you check whether it
grants users the permissions to use the particular API actions and resources
they need before you put the policy into production.

First, create an IAM user for testing purposes, and then attach the IAM
policy that you created to the test user. Then, make a request as the test
user.

If the Amazon EC2 action that you are testing creates or modifies a resource, you
should make the request using the DryRun parameter (or run the
AWS CLI command with the --dry-run option). In this case, the call
completes the authorization check, but does not complete the operation. For
example, you can check whether the user can terminate a particular instance
without actually terminating it. If the test user has the required permissions,
the request returns DryRunOperation; otherwise, it returns
UnauthorizedOperation.

If the policy doesn't grant the user the permissions that you expected, or is
overly permissive, you can adjust the policy as needed and retest until you get
the desired results.

Important

It can take several minutes for policy changes to propagate before they
take effect. Therefore, we recommend that you allow five minutes to pass
before you test your policy updates.

If an authorization check fails, the request returns an encoded message with
diagnostic information. You can decode the message using the
DecodeAuthorizationMessage action. For more information, see
DecodeAuthorizationMessage in the
AWS Security Token Service API Reference, and decode-authorization-message in the
AWS CLI Command Reference.